1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2013 Red Hat 4 * Author: Rob Clark <robdclark@gmail.com> 5 */ 6 7 #include <linux/file.h> 8 #include <linux/sync_file.h> 9 #include <linux/uaccess.h> 10 11 #include <drm/drm_drv.h> 12 #include <drm/drm_file.h> 13 #include <drm/drm_syncobj.h> 14 15 #include "msm_drv.h" 16 #include "msm_gpu.h" 17 #include "msm_gem.h" 18 #include "msm_gpu_trace.h" 19 20 /* For userspace errors, use DRM_UT_DRIVER.. so that userspace can enable 21 * error msgs for debugging, but we don't spam dmesg by default 22 */ 23 #define SUBMIT_ERROR(err, submit, fmt, ...) \ 24 UERR(err, (submit)->dev, fmt, ##__VA_ARGS__) 25 26 /* 27 * Cmdstream submission: 28 */ 29 30 static struct msm_gem_submit *submit_create(struct drm_device *dev, 31 struct msm_gpu *gpu, 32 struct msm_gpu_submitqueue *queue, uint32_t nr_bos, 33 uint32_t nr_cmds, u64 drm_client_id) 34 { 35 static atomic_t ident = ATOMIC_INIT(0); 36 struct msm_gem_submit *submit; 37 uint64_t sz; 38 int ret; 39 40 sz = struct_size(submit, bos, nr_bos) + 41 ((u64)nr_cmds * sizeof(submit->cmd[0])); 42 43 if (sz > SIZE_MAX) 44 return ERR_PTR(-ENOMEM); 45 46 submit = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN); 47 if (!submit) 48 return ERR_PTR(-ENOMEM); 49 50 submit->hw_fence = msm_fence_alloc(); 51 if (IS_ERR(submit->hw_fence)) { 52 ret = PTR_ERR(submit->hw_fence); 53 kfree(submit); 54 return ERR_PTR(ret); 55 } 56 57 ret = drm_sched_job_init(&submit->base, queue->entity, 1, queue, 58 drm_client_id); 59 if (ret) { 60 kfree(submit->hw_fence); 61 kfree(submit); 62 return ERR_PTR(ret); 63 } 64 65 kref_init(&submit->ref); 66 submit->dev = dev; 67 submit->aspace = queue->ctx->aspace; 68 submit->gpu = gpu; 69 submit->cmd = (void *)&submit->bos[nr_bos]; 70 submit->queue = queue; 71 submit->pid = get_pid(task_pid(current)); 72 submit->ring = gpu->rb[queue->ring_nr]; 73 submit->fault_dumped = false; 74 75 /* Get a unique identifier for the submission for logging purposes */ 76 submit->ident = atomic_inc_return(&ident) - 1; 77 78 INIT_LIST_HEAD(&submit->node); 79 80 return submit; 81 } 82 83 void __msm_gem_submit_destroy(struct kref *kref) 84 { 85 struct msm_gem_submit *submit = 86 container_of(kref, struct msm_gem_submit, ref); 87 unsigned i; 88 89 /* 90 * In error paths, we could unref the submit without calling 91 * drm_sched_entity_push_job(), so msm_job_free() will never 92 * get called. Since drm_sched_job_cleanup() will NULL out 93 * s_fence, we can use that to detect this case. 94 */ 95 if (submit->base.s_fence) 96 drm_sched_job_cleanup(&submit->base); 97 98 if (submit->fence_id) { 99 spin_lock(&submit->queue->idr_lock); 100 idr_remove(&submit->queue->fence_idr, submit->fence_id); 101 spin_unlock(&submit->queue->idr_lock); 102 } 103 104 dma_fence_put(submit->user_fence); 105 106 /* 107 * If the submit is freed before msm_job_run(), then hw_fence is 108 * just some pre-allocated memory, not a reference counted fence. 109 * Once the job runs and the hw_fence is initialized, it will 110 * have a refcount of at least one, since the submit holds a ref 111 * to the hw_fence. 112 */ 113 if (kref_read(&submit->hw_fence->refcount) == 0) { 114 kfree(submit->hw_fence); 115 } else { 116 dma_fence_put(submit->hw_fence); 117 } 118 119 put_pid(submit->pid); 120 msm_submitqueue_put(submit->queue); 121 122 for (i = 0; i < submit->nr_cmds; i++) 123 kfree(submit->cmd[i].relocs); 124 125 kfree(submit); 126 } 127 128 static int submit_lookup_objects(struct msm_gem_submit *submit, 129 struct drm_msm_gem_submit *args, struct drm_file *file) 130 { 131 unsigned i; 132 int ret = 0; 133 134 for (i = 0; i < args->nr_bos; i++) { 135 struct drm_msm_gem_submit_bo submit_bo; 136 void __user *userptr = 137 u64_to_user_ptr(args->bos + (i * sizeof(submit_bo))); 138 139 /* make sure we don't have garbage flags, in case we hit 140 * error path before flags is initialized: 141 */ 142 submit->bos[i].flags = 0; 143 144 if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) { 145 ret = -EFAULT; 146 i = 0; 147 goto out; 148 } 149 150 /* at least one of READ and/or WRITE flags should be set: */ 151 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) 152 153 if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) || 154 !(submit_bo.flags & MANDATORY_FLAGS)) { 155 ret = SUBMIT_ERROR(EINVAL, submit, "invalid flags: %x\n", submit_bo.flags); 156 i = 0; 157 goto out; 158 } 159 160 submit->bos[i].handle = submit_bo.handle; 161 submit->bos[i].flags = submit_bo.flags; 162 } 163 164 spin_lock(&file->table_lock); 165 166 for (i = 0; i < args->nr_bos; i++) { 167 struct drm_gem_object *obj; 168 169 /* normally use drm_gem_object_lookup(), but for bulk lookup 170 * all under single table_lock just hit object_idr directly: 171 */ 172 obj = idr_find(&file->object_idr, submit->bos[i].handle); 173 if (!obj) { 174 ret = SUBMIT_ERROR(EINVAL, submit, "invalid handle %u at index %u\n", submit->bos[i].handle, i); 175 goto out_unlock; 176 } 177 178 drm_gem_object_get(obj); 179 180 submit->bos[i].obj = obj; 181 } 182 183 out_unlock: 184 spin_unlock(&file->table_lock); 185 186 out: 187 submit->nr_bos = i; 188 189 return ret; 190 } 191 192 static int submit_lookup_cmds(struct msm_gem_submit *submit, 193 struct drm_msm_gem_submit *args, struct drm_file *file) 194 { 195 unsigned i; 196 size_t sz; 197 int ret = 0; 198 199 for (i = 0; i < args->nr_cmds; i++) { 200 struct drm_msm_gem_submit_cmd submit_cmd; 201 void __user *userptr = 202 u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd))); 203 204 ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd)); 205 if (ret) { 206 ret = -EFAULT; 207 goto out; 208 } 209 210 /* validate input from userspace: */ 211 switch (submit_cmd.type) { 212 case MSM_SUBMIT_CMD_BUF: 213 case MSM_SUBMIT_CMD_IB_TARGET_BUF: 214 case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: 215 break; 216 default: 217 return SUBMIT_ERROR(EINVAL, submit, "invalid type: %08x\n", submit_cmd.type); 218 } 219 220 if (submit_cmd.size % 4) { 221 ret = SUBMIT_ERROR(EINVAL, submit, "non-aligned cmdstream buffer size: %u\n", 222 submit_cmd.size); 223 goto out; 224 } 225 226 submit->cmd[i].type = submit_cmd.type; 227 submit->cmd[i].size = submit_cmd.size / 4; 228 submit->cmd[i].offset = submit_cmd.submit_offset / 4; 229 submit->cmd[i].idx = submit_cmd.submit_idx; 230 submit->cmd[i].nr_relocs = submit_cmd.nr_relocs; 231 232 userptr = u64_to_user_ptr(submit_cmd.relocs); 233 234 sz = array_size(submit_cmd.nr_relocs, 235 sizeof(struct drm_msm_gem_submit_reloc)); 236 /* check for overflow: */ 237 if (sz == SIZE_MAX) { 238 ret = -ENOMEM; 239 goto out; 240 } 241 submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN); 242 if (!submit->cmd[i].relocs) { 243 ret = -ENOMEM; 244 goto out; 245 } 246 ret = copy_from_user(submit->cmd[i].relocs, userptr, sz); 247 if (ret) { 248 ret = -EFAULT; 249 goto out; 250 } 251 } 252 253 out: 254 return ret; 255 } 256 257 /* This is where we make sure all the bo's are reserved and pin'd: */ 258 static int submit_lock_objects(struct msm_gem_submit *submit) 259 { 260 int ret; 261 262 drm_exec_init(&submit->exec, DRM_EXEC_INTERRUPTIBLE_WAIT, submit->nr_bos); 263 264 drm_exec_until_all_locked (&submit->exec) { 265 for (unsigned i = 0; i < submit->nr_bos; i++) { 266 struct drm_gem_object *obj = submit->bos[i].obj; 267 ret = drm_exec_prepare_obj(&submit->exec, obj, 1); 268 drm_exec_retry_on_contention(&submit->exec); 269 if (ret) 270 goto error; 271 } 272 } 273 274 return 0; 275 276 error: 277 return ret; 278 } 279 280 static int submit_fence_sync(struct msm_gem_submit *submit) 281 { 282 int i, ret = 0; 283 284 for (i = 0; i < submit->nr_bos; i++) { 285 struct drm_gem_object *obj = submit->bos[i].obj; 286 bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE; 287 288 /* Otherwise userspace can ask for implicit sync to be 289 * disabled on specific buffers. This is useful for internal 290 * usermode driver managed buffers, suballocation, etc. 291 */ 292 if (submit->bos[i].flags & MSM_SUBMIT_BO_NO_IMPLICIT) 293 continue; 294 295 ret = drm_sched_job_add_implicit_dependencies(&submit->base, 296 obj, 297 write); 298 if (ret) 299 break; 300 } 301 302 return ret; 303 } 304 305 static int submit_pin_objects(struct msm_gem_submit *submit) 306 { 307 struct msm_drm_private *priv = submit->dev->dev_private; 308 int i, ret = 0; 309 310 for (i = 0; i < submit->nr_bos; i++) { 311 struct drm_gem_object *obj = submit->bos[i].obj; 312 struct msm_gem_vma *vma; 313 314 /* if locking succeeded, pin bo: */ 315 vma = msm_gem_get_vma_locked(obj, submit->aspace); 316 if (IS_ERR(vma)) { 317 ret = PTR_ERR(vma); 318 break; 319 } 320 321 ret = msm_gem_pin_vma_locked(obj, vma); 322 if (ret) 323 break; 324 325 submit->bos[i].iova = vma->iova; 326 } 327 328 /* 329 * A second loop while holding the LRU lock (a) avoids acquiring/dropping 330 * the LRU lock for each individual bo, while (b) avoiding holding the 331 * LRU lock while calling msm_gem_pin_vma_locked() (which could trigger 332 * get_pages() which could trigger reclaim.. and if we held the LRU lock 333 * could trigger deadlock with the shrinker). 334 */ 335 mutex_lock(&priv->lru.lock); 336 for (i = 0; i < submit->nr_bos; i++) { 337 msm_gem_pin_obj_locked(submit->bos[i].obj); 338 } 339 mutex_unlock(&priv->lru.lock); 340 341 submit->bos_pinned = true; 342 343 return ret; 344 } 345 346 static void submit_unpin_objects(struct msm_gem_submit *submit) 347 { 348 if (!submit->bos_pinned) 349 return; 350 351 for (int i = 0; i < submit->nr_bos; i++) { 352 struct drm_gem_object *obj = submit->bos[i].obj; 353 354 msm_gem_unpin_locked(obj); 355 } 356 357 submit->bos_pinned = false; 358 } 359 360 static void submit_attach_object_fences(struct msm_gem_submit *submit) 361 { 362 int i; 363 364 for (i = 0; i < submit->nr_bos; i++) { 365 struct drm_gem_object *obj = submit->bos[i].obj; 366 367 if (submit->bos[i].flags & MSM_SUBMIT_BO_WRITE) 368 dma_resv_add_fence(obj->resv, submit->user_fence, 369 DMA_RESV_USAGE_WRITE); 370 else if (submit->bos[i].flags & MSM_SUBMIT_BO_READ) 371 dma_resv_add_fence(obj->resv, submit->user_fence, 372 DMA_RESV_USAGE_READ); 373 } 374 } 375 376 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx, 377 struct drm_gem_object **obj, uint64_t *iova) 378 { 379 if (idx >= submit->nr_bos) { 380 return SUBMIT_ERROR(EINVAL, submit, "invalid buffer index: %u (out of %u)\n", 381 idx, submit->nr_bos); 382 } 383 384 if (obj) 385 *obj = submit->bos[idx].obj; 386 if (iova) 387 *iova = submit->bos[idx].iova; 388 389 return 0; 390 } 391 392 /* process the reloc's and patch up the cmdstream as needed: */ 393 static int submit_reloc(struct msm_gem_submit *submit, struct drm_gem_object *obj, 394 uint32_t offset, uint32_t nr_relocs, struct drm_msm_gem_submit_reloc *relocs) 395 { 396 uint32_t i, last_offset = 0; 397 uint32_t *ptr; 398 int ret = 0; 399 400 if (offset % 4) 401 return SUBMIT_ERROR(EINVAL, submit, "non-aligned cmdstream buffer: %u\n", offset); 402 403 /* For now, just map the entire thing. Eventually we probably 404 * to do it page-by-page, w/ kmap() if not vmap()d.. 405 */ 406 ptr = msm_gem_get_vaddr_locked(obj); 407 408 if (IS_ERR(ptr)) { 409 ret = PTR_ERR(ptr); 410 DBG("failed to map: %d", ret); 411 return ret; 412 } 413 414 for (i = 0; i < nr_relocs; i++) { 415 struct drm_msm_gem_submit_reloc submit_reloc = relocs[i]; 416 uint32_t off; 417 uint64_t iova; 418 419 if (submit_reloc.submit_offset % 4) { 420 ret = SUBMIT_ERROR(EINVAL, submit, "non-aligned reloc offset: %u\n", 421 submit_reloc.submit_offset); 422 goto out; 423 } 424 425 /* offset in dwords: */ 426 off = submit_reloc.submit_offset / 4; 427 428 if ((off >= (obj->size / 4)) || 429 (off < last_offset)) { 430 ret = SUBMIT_ERROR(EINVAL, submit, "invalid offset %u at reloc %u\n", off, i); 431 goto out; 432 } 433 434 ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova); 435 if (ret) 436 goto out; 437 438 iova += submit_reloc.reloc_offset; 439 440 if (submit_reloc.shift < 0) 441 iova >>= -submit_reloc.shift; 442 else 443 iova <<= submit_reloc.shift; 444 445 ptr[off] = iova | submit_reloc.or; 446 447 last_offset = off; 448 } 449 450 out: 451 msm_gem_put_vaddr_locked(obj); 452 453 return ret; 454 } 455 456 /* Cleanup submit at end of ioctl. In the error case, this also drops 457 * references, unpins, and drops active refcnt. In the non-error case, 458 * this is done when the submit is retired. 459 */ 460 static void submit_cleanup(struct msm_gem_submit *submit, bool error) 461 { 462 if (error) { 463 submit_unpin_objects(submit); 464 /* job wasn't enqueued to scheduler, so early retirement: */ 465 msm_submit_retire(submit); 466 } 467 468 if (submit->exec.objects) 469 drm_exec_fini(&submit->exec); 470 } 471 472 void msm_submit_retire(struct msm_gem_submit *submit) 473 { 474 int i; 475 476 for (i = 0; i < submit->nr_bos; i++) { 477 struct drm_gem_object *obj = submit->bos[i].obj; 478 479 drm_gem_object_put(obj); 480 } 481 } 482 483 struct msm_submit_post_dep { 484 struct drm_syncobj *syncobj; 485 uint64_t point; 486 struct dma_fence_chain *chain; 487 }; 488 489 static struct drm_syncobj **msm_parse_deps(struct msm_gem_submit *submit, 490 struct drm_file *file, 491 uint64_t in_syncobjs_addr, 492 uint32_t nr_in_syncobjs, 493 size_t syncobj_stride) 494 { 495 struct drm_syncobj **syncobjs = NULL; 496 struct drm_msm_gem_submit_syncobj syncobj_desc = {0}; 497 int ret = 0; 498 uint32_t i, j; 499 500 syncobjs = kcalloc(nr_in_syncobjs, sizeof(*syncobjs), 501 GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 502 if (!syncobjs) 503 return ERR_PTR(-ENOMEM); 504 505 for (i = 0; i < nr_in_syncobjs; ++i) { 506 uint64_t address = in_syncobjs_addr + i * syncobj_stride; 507 508 if (copy_from_user(&syncobj_desc, 509 u64_to_user_ptr(address), 510 min(syncobj_stride, sizeof(syncobj_desc)))) { 511 ret = -EFAULT; 512 break; 513 } 514 515 if (syncobj_desc.point && 516 !drm_core_check_feature(submit->dev, DRIVER_SYNCOBJ_TIMELINE)) { 517 ret = SUBMIT_ERROR(EOPNOTSUPP, submit, "syncobj timeline unsupported"); 518 break; 519 } 520 521 if (syncobj_desc.flags & ~MSM_SUBMIT_SYNCOBJ_FLAGS) { 522 ret = SUBMIT_ERROR(EINVAL, submit, "invalid syncobj flags: %x", syncobj_desc.flags); 523 break; 524 } 525 526 ret = drm_sched_job_add_syncobj_dependency(&submit->base, file, 527 syncobj_desc.handle, syncobj_desc.point); 528 if (ret) 529 break; 530 531 if (syncobj_desc.flags & MSM_SUBMIT_SYNCOBJ_RESET) { 532 syncobjs[i] = 533 drm_syncobj_find(file, syncobj_desc.handle); 534 if (!syncobjs[i]) { 535 ret = SUBMIT_ERROR(EINVAL, submit, "invalid syncobj handle: %u", i); 536 break; 537 } 538 } 539 } 540 541 if (ret) { 542 for (j = 0; j <= i; ++j) { 543 if (syncobjs[j]) 544 drm_syncobj_put(syncobjs[j]); 545 } 546 kfree(syncobjs); 547 return ERR_PTR(ret); 548 } 549 return syncobjs; 550 } 551 552 static void msm_reset_syncobjs(struct drm_syncobj **syncobjs, 553 uint32_t nr_syncobjs) 554 { 555 uint32_t i; 556 557 for (i = 0; syncobjs && i < nr_syncobjs; ++i) { 558 if (syncobjs[i]) 559 drm_syncobj_replace_fence(syncobjs[i], NULL); 560 } 561 } 562 563 static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev, 564 struct drm_file *file, 565 uint64_t syncobjs_addr, 566 uint32_t nr_syncobjs, 567 size_t syncobj_stride) 568 { 569 struct msm_submit_post_dep *post_deps; 570 struct drm_msm_gem_submit_syncobj syncobj_desc = {0}; 571 int ret = 0; 572 uint32_t i, j; 573 574 post_deps = kcalloc(nr_syncobjs, sizeof(*post_deps), 575 GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 576 if (!post_deps) 577 return ERR_PTR(-ENOMEM); 578 579 for (i = 0; i < nr_syncobjs; ++i) { 580 uint64_t address = syncobjs_addr + i * syncobj_stride; 581 582 if (copy_from_user(&syncobj_desc, 583 u64_to_user_ptr(address), 584 min(syncobj_stride, sizeof(syncobj_desc)))) { 585 ret = -EFAULT; 586 break; 587 } 588 589 post_deps[i].point = syncobj_desc.point; 590 591 if (syncobj_desc.flags) { 592 ret = UERR(EINVAL, dev, "invalid syncobj flags"); 593 break; 594 } 595 596 if (syncobj_desc.point) { 597 if (!drm_core_check_feature(dev, 598 DRIVER_SYNCOBJ_TIMELINE)) { 599 ret = UERR(EOPNOTSUPP, dev, "syncobj timeline unsupported"); 600 break; 601 } 602 603 post_deps[i].chain = dma_fence_chain_alloc(); 604 if (!post_deps[i].chain) { 605 ret = -ENOMEM; 606 break; 607 } 608 } 609 610 post_deps[i].syncobj = 611 drm_syncobj_find(file, syncobj_desc.handle); 612 if (!post_deps[i].syncobj) { 613 ret = UERR(EINVAL, dev, "invalid syncobj handle"); 614 break; 615 } 616 } 617 618 if (ret) { 619 for (j = 0; j <= i; ++j) { 620 dma_fence_chain_free(post_deps[j].chain); 621 if (post_deps[j].syncobj) 622 drm_syncobj_put(post_deps[j].syncobj); 623 } 624 625 kfree(post_deps); 626 return ERR_PTR(ret); 627 } 628 629 return post_deps; 630 } 631 632 static void msm_process_post_deps(struct msm_submit_post_dep *post_deps, 633 uint32_t count, struct dma_fence *fence) 634 { 635 uint32_t i; 636 637 for (i = 0; post_deps && i < count; ++i) { 638 if (post_deps[i].chain) { 639 drm_syncobj_add_point(post_deps[i].syncobj, 640 post_deps[i].chain, 641 fence, post_deps[i].point); 642 post_deps[i].chain = NULL; 643 } else { 644 drm_syncobj_replace_fence(post_deps[i].syncobj, 645 fence); 646 } 647 } 648 } 649 650 int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 651 struct drm_file *file) 652 { 653 struct msm_drm_private *priv = dev->dev_private; 654 struct drm_msm_gem_submit *args = data; 655 struct msm_file_private *ctx = file->driver_priv; 656 struct msm_gem_submit *submit = NULL; 657 struct msm_gpu *gpu = priv->gpu; 658 struct msm_gpu_submitqueue *queue; 659 struct msm_ringbuffer *ring; 660 struct msm_submit_post_dep *post_deps = NULL; 661 struct drm_syncobj **syncobjs_to_reset = NULL; 662 struct sync_file *sync_file = NULL; 663 int out_fence_fd = -1; 664 unsigned i; 665 int ret; 666 667 if (!gpu) 668 return -ENXIO; 669 670 if (args->pad) 671 return -EINVAL; 672 673 if (unlikely(!ctx->aspace) && !capable(CAP_SYS_RAWIO)) { 674 DRM_ERROR_RATELIMITED("IOMMU support or CAP_SYS_RAWIO required!\n"); 675 return -EPERM; 676 } 677 678 /* for now, we just have 3d pipe.. eventually this would need to 679 * be more clever to dispatch to appropriate gpu module: 680 */ 681 if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0) 682 return UERR(EINVAL, dev, "invalid pipe"); 683 684 if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS) 685 return UERR(EINVAL, dev, "invalid flags"); 686 687 if (args->flags & MSM_SUBMIT_SUDO) { 688 if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) || 689 !capable(CAP_SYS_RAWIO)) 690 return -EINVAL; 691 } 692 693 queue = msm_submitqueue_get(ctx, args->queueid); 694 if (!queue) 695 return -ENOENT; 696 697 ring = gpu->rb[queue->ring_nr]; 698 699 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 700 out_fence_fd = get_unused_fd_flags(O_CLOEXEC); 701 if (out_fence_fd < 0) { 702 ret = out_fence_fd; 703 goto out_post_unlock; 704 } 705 } 706 707 submit = submit_create(dev, gpu, queue, args->nr_bos, args->nr_cmds, 708 file->client_id); 709 if (IS_ERR(submit)) { 710 ret = PTR_ERR(submit); 711 goto out_post_unlock; 712 } 713 714 trace_msm_gpu_submit(pid_nr(submit->pid), ring->id, submit->ident, 715 args->nr_bos, args->nr_cmds); 716 717 ret = mutex_lock_interruptible(&queue->lock); 718 if (ret) 719 goto out_post_unlock; 720 721 if (args->flags & MSM_SUBMIT_SUDO) 722 submit->in_rb = true; 723 724 if (args->flags & MSM_SUBMIT_FENCE_FD_IN) { 725 struct dma_fence *in_fence; 726 727 in_fence = sync_file_get_fence(args->fence_fd); 728 729 if (!in_fence) { 730 ret = UERR(EINVAL, dev, "invalid in-fence"); 731 goto out_unlock; 732 } 733 734 ret = drm_sched_job_add_dependency(&submit->base, in_fence); 735 if (ret) 736 goto out_unlock; 737 } 738 739 if (args->flags & MSM_SUBMIT_SYNCOBJ_IN) { 740 syncobjs_to_reset = msm_parse_deps(submit, file, 741 args->in_syncobjs, 742 args->nr_in_syncobjs, 743 args->syncobj_stride); 744 if (IS_ERR(syncobjs_to_reset)) { 745 ret = PTR_ERR(syncobjs_to_reset); 746 goto out_unlock; 747 } 748 } 749 750 if (args->flags & MSM_SUBMIT_SYNCOBJ_OUT) { 751 post_deps = msm_parse_post_deps(dev, file, 752 args->out_syncobjs, 753 args->nr_out_syncobjs, 754 args->syncobj_stride); 755 if (IS_ERR(post_deps)) { 756 ret = PTR_ERR(post_deps); 757 goto out_unlock; 758 } 759 } 760 761 ret = submit_lookup_objects(submit, args, file); 762 if (ret) 763 goto out; 764 765 ret = submit_lookup_cmds(submit, args, file); 766 if (ret) 767 goto out; 768 769 /* copy_*_user while holding a ww ticket upsets lockdep */ 770 ret = submit_lock_objects(submit); 771 if (ret) 772 goto out; 773 774 if (!(args->flags & MSM_SUBMIT_NO_IMPLICIT)) { 775 ret = submit_fence_sync(submit); 776 if (ret) 777 goto out; 778 } 779 780 ret = submit_pin_objects(submit); 781 if (ret) 782 goto out; 783 784 for (i = 0; i < args->nr_cmds; i++) { 785 struct drm_gem_object *obj; 786 uint64_t iova; 787 788 ret = submit_bo(submit, submit->cmd[i].idx, &obj, &iova); 789 if (ret) 790 goto out; 791 792 if (!submit->cmd[i].size || 793 (size_add(submit->cmd[i].size, submit->cmd[i].offset) > obj->size / 4)) { 794 ret = UERR(EINVAL, dev, "invalid cmdstream size: %u\n", 795 submit->cmd[i].size * 4); 796 goto out; 797 } 798 799 submit->cmd[i].iova = iova + (submit->cmd[i].offset * 4); 800 801 if (likely(!submit->cmd[i].nr_relocs)) 802 continue; 803 804 if (!gpu->allow_relocs) { 805 ret = UERR(EINVAL, dev, "relocs not allowed\n"); 806 goto out; 807 } 808 809 ret = submit_reloc(submit, obj, submit->cmd[i].offset * 4, 810 submit->cmd[i].nr_relocs, submit->cmd[i].relocs); 811 if (ret) 812 goto out; 813 } 814 815 submit->nr_cmds = i; 816 817 idr_preload(GFP_KERNEL); 818 819 spin_lock(&queue->idr_lock); 820 821 /* 822 * If using userspace provided seqno fence, validate that the id 823 * is available before arming sched job. Since access to fence_idr 824 * is serialized on the queue lock, the slot should be still avail 825 * after the job is armed 826 */ 827 if ((args->flags & MSM_SUBMIT_FENCE_SN_IN) && 828 (!args->fence || idr_find(&queue->fence_idr, args->fence))) { 829 spin_unlock(&queue->idr_lock); 830 idr_preload_end(); 831 ret = UERR(EINVAL, dev, "invalid in-fence-sn"); 832 goto out; 833 } 834 835 drm_sched_job_arm(&submit->base); 836 837 submit->user_fence = dma_fence_get(&submit->base.s_fence->finished); 838 839 if (args->flags & MSM_SUBMIT_FENCE_SN_IN) { 840 /* 841 * Userspace has assigned the seqno fence that it wants 842 * us to use. It is an error to pick a fence sequence 843 * number that is not available. 844 */ 845 submit->fence_id = args->fence; 846 ret = idr_alloc_u32(&queue->fence_idr, submit->user_fence, 847 &submit->fence_id, submit->fence_id, 848 GFP_NOWAIT); 849 /* 850 * We've already validated that the fence_id slot is valid, 851 * so if idr_alloc_u32 failed, it is a kernel bug 852 */ 853 WARN_ON(ret); 854 } else { 855 /* 856 * Allocate an id which can be used by WAIT_FENCE ioctl to map 857 * back to the underlying fence. 858 */ 859 submit->fence_id = idr_alloc_cyclic(&queue->fence_idr, 860 submit->user_fence, 1, 861 INT_MAX, GFP_NOWAIT); 862 } 863 864 spin_unlock(&queue->idr_lock); 865 idr_preload_end(); 866 867 if (submit->fence_id < 0) { 868 ret = submit->fence_id; 869 submit->fence_id = 0; 870 } 871 872 if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 873 sync_file = sync_file_create(submit->user_fence); 874 if (!sync_file) { 875 ret = -ENOMEM; 876 } else { 877 fd_install(out_fence_fd, sync_file->file); 878 args->fence_fd = out_fence_fd; 879 } 880 } 881 882 if (ret) 883 goto out; 884 885 submit_attach_object_fences(submit); 886 887 /* The scheduler owns a ref now: */ 888 msm_gem_submit_get(submit); 889 890 msm_rd_dump_submit(priv->rd, submit, NULL); 891 892 drm_sched_entity_push_job(&submit->base); 893 894 args->fence = submit->fence_id; 895 queue->last_fence = submit->fence_id; 896 897 msm_reset_syncobjs(syncobjs_to_reset, args->nr_in_syncobjs); 898 msm_process_post_deps(post_deps, args->nr_out_syncobjs, 899 submit->user_fence); 900 901 902 out: 903 submit_cleanup(submit, !!ret); 904 out_unlock: 905 mutex_unlock(&queue->lock); 906 out_post_unlock: 907 if (ret && (out_fence_fd >= 0)) { 908 put_unused_fd(out_fence_fd); 909 if (sync_file) 910 fput(sync_file->file); 911 } 912 913 if (!IS_ERR_OR_NULL(submit)) { 914 msm_gem_submit_put(submit); 915 } else { 916 /* 917 * If the submit hasn't yet taken ownership of the queue 918 * then we need to drop the reference ourself: 919 */ 920 msm_submitqueue_put(queue); 921 } 922 if (!IS_ERR_OR_NULL(post_deps)) { 923 for (i = 0; i < args->nr_out_syncobjs; ++i) { 924 kfree(post_deps[i].chain); 925 drm_syncobj_put(post_deps[i].syncobj); 926 } 927 kfree(post_deps); 928 } 929 930 if (!IS_ERR_OR_NULL(syncobjs_to_reset)) { 931 for (i = 0; i < args->nr_in_syncobjs; ++i) { 932 if (syncobjs_to_reset[i]) 933 drm_syncobj_put(syncobjs_to_reset[i]); 934 } 935 kfree(syncobjs_to_reset); 936 } 937 938 return ret; 939 } 940